CompTIA Addresses Need for Security Professionals

Surely by now you’re familiar with CompTIA’s vendor-neutral, foundation- level certifications (A+, Network+, Server+, etc.). The newest certification in CompTIA’s stable has been dubbed Security+. And to catch up with demand for IT pros with foundation-level security knowledge, CompTIA has accelerated development of the new exam.

Development of the Security+ exam is in progress. The process, Fran Linhart, director of certifications for CompTIA, said, consists of a job task analysis, focus groups in the Americas, Europe and the Pacific Rim, item writing and review and beta testing. The cornerstone committee, including members involved in the IT industry, government, training and academia, has not finalized the exam objectives yet, but when it does, more information will be posted on CompTIA’s Security+ Web site, athttp://www.comptia.org/certification/securityplus/index.htm.

The Security+ beta exam is expected to be offered late in the third quarter of 2002, which is three to six months ahead of the typical development schedule for a CompTIA certification. The actual exam should be available before the end of 2002.

In the meantime, CompTIA is looking for subject matter experts (SMEs) around the world to aid in the development process. There are a number of ways to help, including participation in the focus groups, writing exam items and taking the beta exam. Security+ SME candidates should have:

* High-level knowledge of networking fundamentals.

* Three or more years of experience working in technical and security-related job roles.

Report: Hybrid Threats and Vulnerabilities Will Continue to Threaten Networks

Internet Security Systems (ISS), a provider of information protection solutions, released the Internet Risk Impact Summary (IRIS) report for the first quarter of 2002. The report illustrates cyber-attack trends based on monitored security devices, actual attacks detected and research on vulnerabilities.

IRIS was developed by the X-Force, ISS’s security research organization, and includes information from more than 350 network- and server-based intrusion detection sensors monitoring networks on four continents. Also included in the report is data from more than 400 managed firewalls, X- Force research and information gleaned from interaction with government, industry and academic sources.

According to the IRIS report, the average “AlertCon” risk level for the first quarter of 2002 was 1.5 out of 4, which means that an unprotected network device would be compromised in less than a day after it is connected to the Internet.

The most significant online risk comes from hybrid threats, including Nimda and Code Red. These threats combine viral payloads with multiple, automated attack scripts and take advantage of common computer vulnerabilities. In the first quarter of 2002, ISS monitored more than 7.5 million hybrid-related attacks.

Other findings include:

* X-Force uncovered and documented more than 537 new vulnerabilities in the first quarter.

* Hybrid threats and pre-attack reconnaissance together accounted for more than 80 percent of detected attacks.

* Computer-driven attacks (attacks that use automated scripts that execute commands according to code instructions) were operating 24×7 from January through March.

In light of some software vendors’ recent claims that they will focus more on security (e.g., Bill Gates highly publicized e-mail making security Microsoft’s priority), ISS expects the discovery of vulnerabilities to decrease. But this decrease will take time, so vulnerabilities are going to be a problem for “the foreseeable future.”

As more and more certification vendors add performance-based elements to their exams, hands-on training prior to the exam is becoming increasingly necessary. If you’re enrolled in instructor-led training, you’re likely to get some hands-on time in the classroom. But instructor-led training is usually the most expensive way to learn, and in t